b"September 2007\nReport No. AUD-07-015\n\n\nDSC\xe2\x80\x99s Examination Assessment of\nFinancial Institutions\xe2\x80\x99 Compliance\nManagement Systems\n\n\n\n\n            AUDIT REPORT\n\x0c                                                                                     Report No. AUD-07-015\n                                                                                             September 2007\n\n\n                                        DSC\xe2\x80\x99s Examination Assessment of Financial\n                                        Institutions\xe2\x80\x99 Compliance Management Systems\n                                        Results of Audit\nBackground and Purpose of Audit\n                                        Our review of seven sampled institutions showed that the examiners\n                                        had adequately assessed each financial institution\xe2\x80\x99s CMS as part of\nCompliance examinations are the\nprimary supervisory tool the FDIC       the related compliance examination. Specifically, the examiners\nuses to determine whether a             (1) completed a preliminary risk assessment that addressed each\nfinancial institution is meeting its    institution\xe2\x80\x99s CMS to assist in risk-scoping the examination and\nresponsibility to comply with the       (2) documented support for examination conclusions regarding the\nrequirements of federal consumer        CMS. Additionally, the Reports of Examination (ROE) for the seven\nprotection laws and associated          institutions addressed each CMS element, as shown in the table\nregulations.                            below, and included a summary statement and conclusion on the\n                                        quality of each financial institution\xe2\x80\x99s compliance management\nIn the mid-1990s, the FDIC              practices for each element. Also, where significant violations were\nintroduced risk-scoping in the          identified, the examiner tied the cause of the violation to one of the\ncompliance examination process.\n                                        CMS elements in the ROE.\nIn June 2003, as part of the\ncontinued focus on risk-scoping, the\nFDIC revised the compliance             Examiner Assessment of CMS Elements\nexamination process to increase                                     The ROE Included a Conclusion on\nattention on an institution's                 CMS Elements                     Each Element\ncompliance management system                                        1     2    3     4    5     6  7\n(CMS). Although not required by          Board and Management       9     9    9     9    9    9   9\nlaw or regulation, the FDIC has          Oversight\nstated it expects the institutions it                               9     9    9     9    9    9   9\n                                         Compliance Program\nsupervises to have an effective CMS\ndesigned to aid compliance with          Compliance Audit           9     9    9     9    9    9   9\nconsumer protection laws and             Key\nregulations. Three interdependent        9A conclusion was in the ROE, and there was documented\nelements comprise a CMS: a board         evidence of examination work performed.\nof directors and management             Source: OIG analysis of the ROEs.\noversight; a compliance program\n(including policies and procedures,     Recommendations and Management Response\ntraining, monitoring, and consumer\ncomplaint response); and periodic       Based on the FDIC\xe2\x80\x99s establishment of examination guidance related\ncompliance audits.                      to assessing an institution\xe2\x80\x99s CMS during a compliance examination\n                                        and evidence of examiner implementation of the guidance, we\nThe audit objective was to determine\n                                        concluded our audit. The report does not make any\nwhether the FDIC\xe2\x80\x99s Division of\nSupervision and Consumer                recommendations. DSC management commented that it was\nProtection (DSC) is adequately          committed to assuring that financial institutions implement effective\nassessing institutions\xe2\x80\x99 CMSs during     consumer protection safeguards by maintaining strong CMSs.\ncompliance examinations.\n\nTo view full report, go to\nwww.fdicig.ov/2007reports.asp\n\x0c                           TABLE OF CONTENTS\n\n\nBACKGROUND                                                        1\n\n  FDIC Institution and Examination Guidance for a CMS             2\n\n  Elements of an Effective CMS                                    3\n\nRESULTS OF AUDIT                                                  4\n\n  Examiner Review of CMS Implementation                           4\n\n  Conclusion                                                      5\n\nCORPORATION COMMENTS                                              5\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY                     6\n\nAPPENDIX II: FINANCIAL INSTITUTION LETTERS AND                   10\nRD MEMORANDA\n\nAPPENDIX III: CORPORATION COMMENTS                               11\n\nTABLE 1: Interdependent Elements of an Effective CMS              3\nTABLE 2: Examiner Assessment of CMS Elements                      4\n\nFIGURE: ROE Excerpt                                               5\n\nACRONYMS\n\nCMS            Compliance Management System\nDSC            Division of Supervision and Consumer Protection\nFIL            Financial Institution Letter\nRD             Regional Director\nROE            Report of Examination\nRPSM           Risk Profile and Scope Memorandum\n\x0cFederal Deposit Insurance Corporation                                                             Office of Audits\n3501 Fairfax Drive, Arlington, VA 22226                                              Office of Inspector General\n\n\nDATE:                                     September 26, 2007\n\nMEMORANDUM TO:                            Sandra L. Thompson, Director\n                                          Division of Supervision and Consumer Protection\n\n\n                                          /Signed/\nFROM:                                     Russell A. Rau\n                                          Assistant Inspector General for Audits\n\nSUBJECT:                                  DSC\xe2\x80\x99s Examination Assessment of Financial Institutions\xe2\x80\x99\n                                          Compliance Management Systems\n                                          (Report No. AUD-07-015)\n\n\nThis report presents the results of our audit of the FDIC\xe2\x80\x99s Division of Supervision and\nConsumer Protection\xe2\x80\x99s (DSC) examination assessment of financial institutions\xe2\x80\x99\ncompliance management systems (CMS). Although not required by law or regulation,\nthe FDIC has stated that it expects each FDIC-\nsupervised financial institution to have an effective CMS A CMS is how an institution:\nadapted to its unique business strategy and designed to       9 learns about its compliance\naid compliance with consumer protection laws and              responsibilities,\nregulations. The objective of the audit was to determine      9 ensures that employees\n                                                              understand these responsibilities,\nwhether DSC is adequately assessing financial                 9 ensures that requirements are\ninstitutions\xe2\x80\x99 CMSs during compliance examinations.            incorporated into business\n                                                                        processes,\n                                                                        9 reviews operations to ensure\nWe conducted this performance audit in accordance with                  responsibilities are carried out\ngenerally accepted government auditing standards.                       and requirements are met, and\nAppendix I of this report discusses our audit objective,                9 takes corrective action and\n                                                                        updates materials as necessary.\nscope, and methodology in detail. We concluded our\nfieldwork after a review of examination documentation1     Source: The FDIC\xe2\x80\x99s Compliance\nand discussions with examiners and field office            Examination Handbook.\nsupervisors for a limited sample of seven compliance\nexaminations and the performance of related audit procedures.\n\n\nBACKGROUND\n\nFinancial institutions are required to comply with federal consumer protection laws and\nregulations. Noncompliance can result in harm to consumers as well as monetary\npenalties, litigation, and formal enforcement actions against the institution. The\n\n1\n The examination documentation included: (1) the Report of Examination (ROE), (2) the Risk Profile and\nScope Memorandum (RPSM), (3) examiner work papers, and (4) DSC\xe2\x80\x99s System of Uniform Reporting of\nCompliance and Community Reinvestment Act Examinations (SOURCE).\n\x0cresponsibility for ensuring an institution is in compliance rests with the board of directors\nand management of the institution.\n\nAs the federal supervisor of more than 5,000 financial institutions, the FDIC conducts\ncompliance examinations for each FDIC-supervised financial institution every 12 to\n36 months, depending on the prior compliance examination rating and the asset size of\nthe institution. These examinations are the primary tool the FDIC uses to determine\nwhether a financial institution is meeting its responsibilities to comply with consumer\nprotection requirements. The FDIC also promotes compliance with the requirements of\nfederal consumer protection laws and regulations through outreach programs, which\ninclude attendance at bankers\xe2\x80\x99 forums and conferences, and various supervisory\nactivities.\n\nFDIC Institution and Examination Guidance for a CMS\n\nIn the mid-1990s, the FDIC introduced risk-scoping into the compliance examination\nprocess. The goal of risk-scoping was for examiners to focus attention on regulatory\nareas that posed the greatest risk to the institution and the greatest potential harm to\ncustomers. In 2003, the FDIC built upon that approach by initiating top-down, risk-\nfocused compliance examinations that increased attention on a financial institution\xe2\x80\x99s\nCMS in order to emphasize a financial institution\xe2\x80\x99s responsibility to ensure it complies\nwith consumer protection laws and regulations.\n\nThe FDIC notified the financial institutions it supervises of its revised compliance\nexamination approach through Financial Institution Letter (FIL) 52-2003, Revised\nCompliance Examination Process; and FIL-10-2007, Compliance Examination\nHandbook, which replaced the compliance examination procedures. The FDIC also\nissued Regional Directors (RD) Memorandum 2005-035, Revised Compliance\nExamination Procedures, dated August 18, 2005; and RD Memorandum 2006-034,\nCompliance Examination Handbook, dated October 24, 2006, to transmit the revised\ncompliance examination procedures to its examination staff. The Compliance\nExamination Handbook outlines procedures to guide the examiner through an assessment\nof an institution\xe2\x80\x99s CMS and assists the examiner in identifying specific areas of weakness\nfor further analysis.\n\n\n\n\n                                              2\n\x0cElements of an Effective CMS\n\nAccording to the FDIC\xe2\x80\x99s Compliance Examination Handbook, the three interdependent\nelements shown in Table 1 commonly comprise an effective CMS. The handbook states\nthat when the three elements are strong and working together, an institution has an\nincreased likelihood of being successful at managing its compliance responsibilities,\nincluding ensuring that it complies with federal consumer protection laws, regulations,\nand guidelines.\n\nTable 1: Interdependent Elements of an Effective CMS\n   Element                                                    Description\nBoard of        The board of directors of a financial institution is ultimately responsible for developing and\nDirectors and   administering a CMS that ensures compliance with federal consumer protection laws and\nManagement      regulations. To a great degree, the success of an institution\xe2\x80\x99s CMS is founded on the actions taken\nOversight       by its board and senior management. Key actions that a board and management may take to\n                demonstrate their commitment to maintaining an effective CMS and to set a positive climate for\n                compliance include:\n                \xe2\x80\xa2    demonstrating clear and unequivocal expectations about compliance,\n                \xe2\x80\xa2    adopting clear policy statements,\n                \xe2\x80\xa2    appointing a compliance officer with authority and accountability,\n                \xe2\x80\xa2    allocating resources to compliance functions commensurate with the level and complexity of\n                     the institution\xe2\x80\x99s operations,\n                \xe2\x80\xa2    conducting periodic compliance audits, and\n                \xe2\x80\xa2    providing for recurrent reports by the compliance officer to the board.\n\nCompliance      A financial institution should generally establish a formal, written compliance program. A\nProgram         compliance program includes the following components:\n                \xe2\x80\xa2    policies and procedures,\n                \xe2\x80\xa2    training,\n                \xe2\x80\xa2    monitoring, and\n                \xe2\x80\xa2    consumer complaint response.\n\n                A well-planned, implemented, and maintained compliance program will prevent or reduce\n                regulatory violations and provide cost-efficiencies and is a sound business step. It is expected that\n                no two compliance programs will be the same and that a program will be dictated by numerous\n                considerations, including:\n                \xe2\x80\xa2    institution size, number of branches, and organizational structure;\n                \xe2\x80\xa2    business strategy of the institution (e.g., community bank versus regional; or retail versus\n                     wholesale bank);\n                \xe2\x80\xa2    types of products;\n                \xe2\x80\xa2    location of the institution\xe2\x80\x94its main office and branches; and\n                \xe2\x80\xa2    other influences, such as whether the institution is involved in interstate or international\n                     banking.\n\nCompliance      A compliance audit is an independent review of an institution\xe2\x80\x99s compliance with consumer\nAudit           protection laws and regulations and adherence to internal policies and procedures. The audit\n                (1) helps management ensure ongoing compliance and identify compliance risk conditions and\n                (2) complements the institution\xe2\x80\x99s internal monitoring system. The board of directors of the\n                institution should determine the scope of an audit and the frequency with which audits are\n                conducted. The scope and frequency of an audit should consider such factors as:\n                \xe2\x80\xa2     organization and staffing of the compliance function,\n                \xe2\x80\xa2     complexity of products offered, and\n                \xe2\x80\xa2     outsourcing of functions to third-party service providers.\n\nSource: Compliance Examination Handbook.\n\n\n\n                                                         3\n\x0cRESULTS OF AUDIT\n\nOur review of compliance examinations for seven sampled institutions showed that the\nexaminers had adequately assessed each financial institution\xe2\x80\x99s CMS. Specifically, the\nexaminers completed a preliminary risk assessment that addressed each institution\xe2\x80\x99s CMS\nto assist in risk-scoping the examination and documented support for examination\nconclusions regarding the CMS. Additionally, the ROEs for the seven institutions\naddressed each CMS element and included a summary statement and conclusion on the\nquality of the financial institution\xe2\x80\x99s compliance management practices for each element\nas shown in Table 2 below. Also, where significant violations were identified, the\nexaminer tied the cause of the violation to one of the CMS elements in the ROE.\n\nTable 2: Examiner Assessment of CMS Elements\n                                 The ROE Included a Conclusion on\n          CMS Elements                    Each Element\n                                  1   2    3    4    5    6    7\n Board and Management Oversight 9     9   9    9     9   9     9\n Compliance Program              9    9   9    9     9   9     9\n Compliance Audit                9    9   9    9     9   9     9\n  Key\n  9A conclusion was in the ROE, and there was documented evidence of\n  examination work performed.\n Source: OIG analysis of ROEs for the seven institutions.\n\n\n\nExaminer Review of CMS Implementation\n\nAccording to the Compliance Examination Handbook, the examiner must assess the financial\ninstitution\xe2\x80\x99s CMS as it applies to key operational areas and evaluate the risk of non-compliance\nwith applicable laws and regulations. For each examination we reviewed, the examiner\ndocumented the preliminary risk assessment of the institution\xe2\x80\x99s CMS in the RPSM. In our\nreview of documentation of examiner fieldwork, we saw varying levels of evidence\ndocumenting the examiner\xe2\x80\x99s assessment of a financial institution\xe2\x80\x99s CMS. For example, in\nreviewing the board and management oversight element, we saw examiner interview notes\nabout board meetings or copies of meeting minutes in the examiner\xe2\x80\x99s documentation. In\nreviewing examiner documentation for the compliance program element, we saw, in some\ninstances, copies of compliance policies and procedures annotated with the examiner\xe2\x80\x99s\ncomments or a chart summarizing the examiner\xe2\x80\x99s review of a consumer complaint response. In\nreviewing examiner documentation for the compliance audit element, we found the examiners\nhad documented the review of the audit committee meeting minutes. We also saw an instance\nwhere the examiner had documented audit memoranda, audit plans, and a summary status of\naudit exceptions. Although examination documentation varied, in each case, we were able to\ndetermine that work had been performed in support of the examiner\xe2\x80\x99s conclusions in the ROE.\n\nThe Compliance Examination Handbook states that the ROE must assess the strengths of\nthe institution\xe2\x80\x99s CMS, clearly identify the most critical deficiencies and related causes,\nand aid the institution\xe2\x80\x99s board of directors and management in developing an action plan\n                                                   4\n\x0cto address the findings. The ROEs for the seven institutions discussed the overall quality\nof the financial institutions\xe2\x80\x99 CMSs and the examiners\xe2\x80\x99 conclusions for each CMS\nelement, beginning with a summary statement about the quality of the financial\ninstitution\xe2\x80\x99s compliance management practices (strong, adequate, or weak) for each\nelement.\n\nAlso, in accordance with the Compliance Examination Handbook, where significant violations\nwere identified, the examiner tied the cause of the violation to an element of CMS in the ROE.\nFor example, one institution had a Truth in Lending Act violation resulting from the failure to\ninclude the life-of-loan flood determination fees in the finance charge, resulting in an\nunderstated finance charge. The ROE attributed the violation to insufficient training and the\nbank staff\xe2\x80\x99s lack of awareness of the disclosure requirement and made recommendations to the\nboard to improve the CMS in this area. The following excerpt from one of the ROEs we\nreviewed provides an example of how examiners concluded on each of the three CMS\nelements.\n\nROE Excerpt\n\n     COMPLIANCE MANAGEMENT SYSTEM\n\n     Board of Directors and Management Oversight\n\n     Board and management oversight is considered strong. Management at all levels is knowledgeable of\n     consumer compliance laws and regulations and is committed to an effective compliance program. The\n     Board provides sufficient resources and authority to management and compliance personnel. The\n     Board has formally appointed \xe2\x80\xa6 as the bank\xe2\x80\x99s compliance officer. Board members receive training\n     quarterly from \xe2\x80\xa6 to keep current with new laws and regulations. Audit and monitoring findings, as\n     well as recommendations, are presented to the Board during the quarterly compliance meetings. In\n     addition, policies, including compliance, are reviewed and approved by the Board annually.\n\n\nSource: OIG review of examination documentation.\n\n\n\nConclusion\n\nBased on the FDIC\xe2\x80\x99s establishment of examination guidance related to assessing an institution\xe2\x80\x99s\nCMS during a compliance examination and evidence of examiner implementation of the\nguidance, we concluded our audit. This report does not make any recommendations.\n\n\nCORPORATION COMMENTS\n\nOn September 19, 2007, the Director, DSC, provided a written response to a draft of this report.\nDSC\xe2\x80\x99s response is presented in its entirety as Appendix III of this report. DSC stated that it is\ncommitted to assuring that financial institutions implement effective consumer protection\nsafeguards by maintaining strong CMSs and will continue to emphasize this important area of\nrisk through its supervisory programs.\n\n                                                    5\n\x0c                                                                                                  APPENDIX I\n\n\n                        OBJECTIVE, SCOPE, AND METHODOLOGY\n\nObjective\n\nThe audit objective was to determine whether DSC is adequately assessing institutions\xe2\x80\x99\nCMSs during compliance examinations. We conducted this performance audit from May\nthrough August 2007 in accordance with generally accepted government auditing\nstandards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe that the evidence obtained provides\na reasonable basis for our observations.\n\nScope and Methodology\n\nThe scope of the audit focused on reviewing policies, procedures, and practices for the\nexaminer\xe2\x80\x99s assessment of a financial institution\xe2\x80\x99s CMS during a compliance examination.\nWe concluded our fieldwork after a review of the examination documentation for a\nlimited sample of compliance examinations for seven financial institutions.\n\nWe reviewed the FDIC\xe2\x80\x99s Compliance Examination Handbook, which includes guidance\nfor the examiner\xe2\x80\x99s assessment of a financial institution\xe2\x80\x99s CMS, and performed the\nfollowing:\n\n\xe2\x80\xa2   Obtained an understanding of:\n    \xe2\x80\xa2 the CMS expectations for financial institutions,\n    \xe2\x80\xa2 the CMS examination procedures,\n    \xe2\x80\xa2 the level of examiner assessment of the CMS,\n    \xe2\x80\xa2 how the CMS assessment results are used by the examiners to risk-scope the\n       compliance examination and rate the financial institution, and\n    \xe2\x80\xa2 the impact of the CMS assessment on the overall results of the compliance\n       examination process.\n\n\xe2\x80\xa2   Met with and interviewed DSC officials and staff in headquarters and in the three\n    DSC field offices.\n\n\xe2\x80\xa2   Reviewed laws and regulations and other criteria pertaining to CMS, including:\n    \xe2\x80\xa2 FILs,\n    \xe2\x80\xa2 RD Memoranda, and\n    \xe2\x80\xa2 guidance on the Federal Financial Institutions Examination Council2 Web site.\n\n\xe2\x80\xa2   Reviewed the Formal and Informal Action Procedures Manual, dated December\n    2005, covering administrative procedures affecting the processing and monitoring of\n2\n  The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for\nthe federal examination of financial institutions by the Board of Governors of the Federal Reserve System, FDIC,\nNational Credit Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision and\nto make recommendations to promote uniformity in the supervision of financial institutions.\n                                                          6\n\x0c                                                                                           APPENDIX I\n\n    corrective actions against financial institutions, including addressing violations of\n    laws and other weaknesses in financial institutions.\n\n\xe2\x80\xa2   Confirmed with OIG Counsel that there are no statutory or regulatory requirements\n    for financial institutions to have a CMS.\n\n\xe2\x80\xa2   Selected a limited, non-statistical sample of compliance examinations for review.3 As\n    of March 20, 2007, there were 5,238 active banks identified in DSC\xe2\x80\x99s online\n    resources. We pulled a random sample of 45 banks that had compliance\n    examinations completed from January 1, 2006 through March 20, 2007. From that\n    random sample, we selected seven examinations for review based on the size of the\n    institutions, the compliance ratings, and location.\n\n\xe2\x80\xa2   Reviewed examiner documentation for the selected compliance examinations in\n    DSC\xe2\x80\x99s Holyoke, South Boston, and Minneapolis field offices.\n\n\xe2\x80\xa2   Reviewed congressional correspondence relating to improving federal consumer\n    protection efforts.\n\n\xe2\x80\xa2   Reviewed a Risk Analysis Center presentation, dated January 2007, on the New\n    Compliance Examination Handbook.\n\n\xe2\x80\xa2   Identified and reviewed applicable DSC Internal Control and Review Section reports,\n    including Internal Control and Review-Field Territory Reviews: Potential Strong\n    Practices, dated January 2006.\n\n\xe2\x80\xa2   Reviewed the Office of Enterprise Risk Management 2006 Accountability Listing for\n    DSC compliance and consumer protection.\n\n\xe2\x80\xa2   Identified CMS examination procedures for the Office of Thrift Supervision, Office\n    of the Comptroller of the Currency, and the Board of Governors of the Federal\n    Reserve System.\n\n\xe2\x80\xa2   Reviewed FDIC Supervisory Insights journals from summer 2004 through winter\n    2006, for information on compliance examinations and CMS.\n\n\n\n\n3\n  The results of a non-statistical sample cannot be projected to the intended population by standard\nstatistical methods.\n                                                       7\n\x0c                                                                                         APPENDIX I\n\n\n    \xe2\x80\xa2   Reviewed and evaluated the following performance measurement planning\n        documents:\n        - FDIC Strategic Plan (2005-2010)\n        - FDIC Annual Performance Plan for 2006 and 2007\n        - FDIC Corporate Performance Objectives for both 2006 and 2007\n        - FDIC 2006 Annual Report\n\nInternal Controls\n\nWe gained an understanding of relevant internal controls by reviewing the: (1) DSC\nInternal Control and Review Section\xe2\x80\x99s internal review reports; (2) FDIC policies and\nprocedures, such as FILs and RD Memoranda related to compliance examinations and the\nRelationship Manager Program;4 (3) Compliance Examination Handbook; and\n(4) examination procedures for assessing institution performance related to a CMS. In\naddition, we interviewed DSC individuals to obtain an understanding of how examiners\nuse examination guidance to assess institutions\xe2\x80\x99 CMSs during compliance examinations,\nincluding how compliance examiners and the field office supervisors coordinate the\nperformance of work with risk management examiners.\n\nReliance on Computer-based Data\n\nOur audit objective did not require that we assess the reliability of computer-based data.\nWe obtained certain data from SOURCE to identify the universe of banks that had a\ncompliance examination completed from January 1, 2006 through March 20, 2007.\nHowever, for purposes of our audit, we did not rely on computer-based data to support\nour observations or conclusions.\n\nCompliance With Laws and Regulations\n\nIn conducting the audit, we confirmed with the FDIC\xe2\x80\x99s OIG Counsel that there were no\nfederal statutory or regulatory requirements for financial institutions to have a CMS. We\ndid identify various consumer protection laws and regulations applicable to financial\ninstitutions.\n\nGovernment Performance and Results Act\n\nThe Government Performance and Results Act of 1993 directs federal agencies to\ndevelop a strategic plan and annual performance plan to help improve federal program\neffectiveness. We reviewed the FDIC\xe2\x80\x99s Strategic Plan for 2005-2010 and the FDIC\nAnnual Performance Plan for 2006 and 2007. We determined that the FDIC has a\nstrategic goal and objective related to ensuring consumers\xe2\x80\x99 rights are protected and that\nFDIC-supervised institutions comply with consumer protection and fair lending laws.\n\n4\n  The Relationship Manager Program objectives include: improving communication, increasing flexibility\nfor risk-focused supervision, and providing a comprehensive ROE that includes all supervisory ratings and\naddresses material findings in all areas.\n\n                                                    8\n\x0c                                                                               APPENDIX I\n\nThe FDIC also has a 2007 performance goal to determine the need for changes in current\nFDIC practices for following up on significant violations of consumer protection laws\nand regulations identified during examinations of banks. We reviewed the FDIC\xe2\x80\x99s\nCorporate Performance Objectives for 2006 and 2007 and the FDIC 2006 Annual\nReport. We determined that there were no specific strategic objectives or goals directly\nrelated to DSC\xe2\x80\x99s examination assessment of a financial institution\xe2\x80\x99s CMS.\n\nFraud and Illegal Acts\n\nWe did not develop specific procedures to detect fraud and illegal acts because they were\nnot considered material to the audit objective. However, throughout our review, we were\nsensitive to the potential for acts of fraud and illegal acts, and none came to our attention.\n\nPrior Audit Coverage\n\nThe OIG has conducted two prior audits related to compliance examinations. We\ndiscussed the audits with the OIG Auditors-in-Charge and reviewed their work papers\nand the Status of DSC Corrective Action reports for the prior audits. Additionally, we\nperformed a comparative analysis of the results of the prior audit reports, listed below, to\nour audit objective, scope, and methodology.\n\nAudit Report No. 05-038, Audit of DSC\xe2\x80\x99s Risk-Focused Compliance Examination\nProcess, issued September 2005. The objective of this audit was to determine whether\nDSC\xe2\x80\x99s risk-focused compliance examination program resulted in examinations that were\nadequately planned and effective in assessing financial institution compliance with\nconsumer protection laws and regulations. We recommended that the Director, DSC,\nclarify and reinforce requirements that examiners adequately document the scope of work\nperformed, including transaction testing and spot checks of the reliability of the\ninstitutions\xe2\x80\x99 compliance review functions, during the on-site portions of compliance\nexaminations.\n\nAudit Report No. 06-024, Audit of DSC\xe2\x80\x99s Supervisory Actions Taken for Compliance\nViolations, issued September 2006. The objective of this audit was to determine\nwhether DSC adequately addressed the violations and deficiencies reported in\ncompliance examinations to ensure that FDIC-supervised institutions took appropriate\ncorrective action. We recommended that the Director, DSC, strengthen guidance related\nto the monitoring and follow-up processes for compliance violations by revising: (1) the\nCompliance Examination Procedures to require follow-up between examinations on\nrepeat, significant compliance violations and program deficiencies; (2) the Formal and\nInformal Action Procedures Manual to require consideration of supervisory actions when\nany institution\xe2\x80\x99s corrective action on repeat, significant violations is not timely or when\nrepeat, significant violations are a recurring examination finding; and (3) DSC\xe2\x80\x99s\nperformance goals to focus more broadly on institutions with repeat, significant\nviolations.\n\n\n\n                                              9\n\x0c                                                                       APPENDIX II\n\n         FINANCIAL INSTITUTION LETTERS AND RD MEMORANDA\n\n\n    Financial Institution Letters                   Description/Summary\n\n\xe2\x80\xa2   FIL-10-2007, Compliance         The Compliance Examination Handbook replaced the\n    Examination Handbook,           Compliance Examination Manual in June 2006 and\n    January 30, 2007                includes guidance for examiner assessment of an\n                                    institution\xe2\x80\x99s CMS.\n\n\xe2\x80\xa2   FIL-52-2003, Revised            The FDIC\xe2\x80\x99s revisions to its process for examining\n    Compliance Examination          FDIC-supervised depository institutions to determine\n    Process, June 20, 2003          their compliance with consumer protection laws and\n                                    regulations. The revised process focuses increased\n                                    attention on an institution\xe2\x80\x99s CMS.\n\n\n      DSC Regional Directors\n          Memoranda\n\n\xe2\x80\xa2   2006-034, Compliance            Transmitted the total revision and replacement of the\n    Examination Handbook,           Compliance Examination Manual. The handbook\n    October 24, 2006                captures outstanding examination policies and\n                                    procedures in effect as of June 30, 2006.\n\n\xe2\x80\xa2   2005-035, Revised Compliance    Transmitted revised compliance examination\n    Examination Procedures,         procedures for on-site reviews beginning on or after\n    August 18, 2005                 January 1, 2006.\n\n\n\n\n                                         10\n\x0c                       APPENDIX III\n\nCORPORATION COMMENTS\n\n\n\n\n         11\n\x0c"